fix: OCI filter pre-release tags

helm/lib/dependabot/helm/update_checker.rb

@@ -21,6 +21,11 @@ class UpdateChecker < Dependabot::UpdateCheckers::Base
 
       require_relative "update_checker/latest_version_resolver"
 
+      # Matches semver-like OCI tags that carry prerelease metadata after the
+      # patch version, including git-describe style builds and branch-based
+      # labels such as 2.0.4-main.146.sha.7ac1266.
+      OCI_PRERELEASE_TAG_REGEX = /\A[vV]?\d+(?:\.\d+){1,}-[0-9A-Za-z][0-9A-Za-z.-]*(?:[+_][0-9A-Za-z.-]+)?\z/
+
       sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_version
         @latest_version ||= T.let(fetch_latest_version, T.nilable(T.any(String, Gem::Version)))
@@ -247,13 +252,29 @@ def fetch_oci_tags(chart_name, repo_url)
         release_tags = release_tags.select do |tag|
           # Skip tags that start with "sha256-" or end with .sig, .att, or .metadata
           next false if tag.start_with?("sha256-") || tag.end_with?(".sig", ".att", ".metadata")
+          # Skip prerelease tags for stable dependencies, but keep them when the
+          # current dependency is already on a prerelease track.
+          next false if oci_prerelease_tag?(tag) && !wants_oci_prerelease_tags?
 
           # Use Version.correct? to check if the tag is a valid version
           version_class.correct?(tag)
         end
         release_tags.map { |tag| tag.tr("_", "+") }
       end
 
+      sig { params(tag: String).returns(T::Boolean) }
+      def oci_prerelease_tag?(tag)
+        tag.match?(OCI_PRERELEASE_TAG_REGEX)
+      end
+
+      sig { returns(T::Boolean) }
+      def wants_oci_prerelease_tags?
+        current_version = dependency.version
+        return false unless current_version
+
+        oci_prerelease_tag?(current_version)
+      end
+
       sig { params(repo_url: T.nilable(String)).returns(T.nilable(String)) }
       def extract_repo_name(repo_url)
         return nil unless repo_url

helm/spec/dependabot/helm/update_checker_spec.rb

@@ -142,6 +142,35 @@
           )
         end
       end
+
+      context "when tags include prerelease tags" do
+        before do
+          allow(Dependabot::Helm::Helpers).to receive(:fetch_oci_tags)
+            .with("registry.sweet.security/helm/frontierchart")
+            .and_return(
+              "1.0.124446+3123f85bdf6d8309d3d601938564a996f5cad238\n" \
+              "1.1.0\n" \
+              "3.44.1-1.g585bce1\n" \
+              "2.0.4-qcg2060solacelabels.146.sha.7ac1266"
+            )
+        end
+
+        it "ignores prerelease tags" do
+          expect(checker.latest_version).to eq(
+            Dependabot::Helm::Version.new("1.1.0")
+          )
+        end
+
+        context "when current dependency version is prerelease" do
+          let(:version) { "3.44.0-1.g1234567" }
+
+          it "considers prerelease tags" do
+            expect(checker.latest_version).to eq(
+              Dependabot::Helm::Version.new("3.44.1-1.g585bce1")
+            )
+          end
+        end
+      end
     end
   end